Cyber-attackers are evolving in complexity and sophistication at an unprecedented rate – catalysed by COVID-19. Increasingly, more destructive modes of attacks, such as island-hopping, have emerged over the past year. These have also led to high-profile breaches, especially over the past few months, with the threat of more on the horizon.
Major cyberattacks, including ransomware, have the potential to kneecap the operations of Singapore’s Financial Institutions (FIs). The stakes are high – with potentially sensitive data or essential operations at risk, the Monetary Authority of Singapore has issued a revised set of Technology Risk Management (TRM) guidelines that lay out how FIs should be mitigating the technology risks they encounter in their plan to digitalize.
As the threat landscape continues to evolve, resiliency will be central to FIs succeeding in the new normal. According to IDC, organisations focused on digital resiliency will be able to adapt to disruption 50 percent faster than those that focus on restoring existing business and IT resiliency levels in 2022. FIs hence need to build on their digital resiliency to better handle the coming challenges of the evolving threat landscape.
Managing the intangible
In our increasingly digital world, it is not an organisation’s physical assets that catch the eye of cybercriminals. When cyber-attackers take aim, the main target is usually data – the lifeblood of FIs. Data is produced and collected in aggregate across the company, creating large volumes of data daily. Hence, it is essential that FIs have a complete and updated overview of their data.
The new TRM guidelines touch on this, as they lay out the need for an accurate and complete overview of the FI’s information within the organisation. The reason is simple – not all data is the same. FIs are likely to be in possession of data that may be classified, sensitive or critical to operations, including information assets that support the delivery of essential financial services.
The first step to establishing clear policies and standards on data management is to properly classify data based on how critical or sensitive it is. Policies such as user access management for information assets should be set up based on security classification or data. This ensures only essential and necessary access to sensitive data is granted, which criticality limits potential attack points that cybercriminals can exploit.
Unfortunately, the exposure to a breach or an attack seems to be an eventuality for most organisations. In such a situation, maintaining system availability will be key to FIs keeping up operational capabilities.
Resilience must be an integral part of FIs data management. A backup and recovery plan for classified, essential, and sensitive data is necessary for organisations to quickly mitigate a cyberattack. Such as plan is also important for regulatory and compliance requirements.
Taking a layered approach to securing data, such as immutable backups and air-gapping, also helps FIs ward against malicious threats. To achieve this, FIs can explore Backup-as-a-Service (Baas) options for backup, recovery, and data protection to preserve an airtight virtual copy of their data in the cloud.
A cloud-based backup and recovery can help FSI organisations manage compliance, scale when needed, and to manage increasing data costs. BaaS is perfect, as it can be moved from the traditional CapEx to OpEx immediately without infrastructure.
Furthermore, FIs will do well to maintain a state of recovery readiness and be regularly monitoring and evaluating their processes. Regular threat-hunting, vulnerability assessments, and penetration testing should be part of the cybersecurity roundup. Besides that, IT teams need to ensure redundancy in all essential, high availability IT systems.
Lastly, organisations must have a plan ready for when disaster strikes. When data is compromised, such as through ransomware, disaster recovery is essential to reducing breach impact and resuming normal business operations.
The human element
According to IDC, 75 percent of CIOs will be integral to business decision making by 2023 as digital infrastructure becomes the new business ‘operating system’. In this age, the CIO does not just lead the organisation’s digital transformation but is integral to spearheading its business recovery practises. The revised TRM also emphasises the need for qualified digital leaders. It goes as far as to require board of directors and senior management in FIs to vet and approve key technology and cyber-security appointments.
FIs must have a qualified CIO at the helm to lead the risk assessment and identification, and drive organisational recovery in times of attacks. It is essential that the CIO is empowered to decide and implement effective internal controls to manage technology risks. When it comes to cybersecurity, investments pay off in the long run – meaning the CIO must have the discretion to make spending decisions that may not see immediate benefit.
Finally, the buck does not stop at senior management. While the onus is on CIOs to cultivate a culture of technology risk awareness and management, it is crucial that cyberthreat awareness and education needs to be extended to the rank and file. Employees must be educated on their roles and responsibilities in managing cybersecurity risks. Regular education and training that is updated for evolving attack methods is the best way for FIs to maintain robust defences.
The appropriate question to ask in the current cyber threat climate is “When will (not “if”) a cyberattack happen to my organisation?”. The stakes are high and FIs have much to lose in the event of a disastrous or high-profile data breach. As cyber criminals develop new ways to penetrate cybersecurity defences, it is important for FIs to stay one step ahead of the threat actors. With an experienced leader calling the shots, as well as securing essential and sensitive information assets and preventing them from being exposed and used against the organisation, FIs have the best chances of being prepared when they are in the firing line.